I am well aware of cross-origin restrictions when it comes to browsers, but what I don't get is how Firebug can get and display the HTML from an iframe with this restriction in place. Is there something plugins have access to that lets it get around this?
Plugins have access to quite a bit. They're not considered cross-origin, they're considered a part of your browser.
Related
I am running a site. Some of its pages are not working in Firefox, but work perfect in Chrome. In Firefox it shows me a gray shield next to the URL and when I click on that shield and manually click on disable protection on this page then my page works fine. So now the problem is that there are many users on my site, and some of them don't know how to do it so I want to handle it on my site so its users don't need to do that.
How can I do it? I Googled and found a setting of Firefox in about:config named security.mixed_content.block_active_content. If we set it to false then it works. So is there a way to do it programmatically or other way so that users just view that page without seeing that shield?
As I understand it, content that is blocked by default by Firefox now is http content that is accessed from an https page. Common types of content that fall foul of this are external stylesheets and images.
As far as I am aware the way to prevent the problem on your site is to make sure that if a page is served by https, any and all other files that it references are also served by https.
Hi Friends,
The reason you see this error in Mozilla Firefox is because your
website is a Mixed Box that is, your website has many internal links
which are not SSL protected.
In order to avoid this error from showing up in Mozilla Firefox you
will have to make sure all the internal links on your website are SSL
protected.
So, Use https:// in your page not http://
I hope I was clear enough in answering your query.
firefox has blocked content that isn't secure means there are some contents on your website are not secure.
I had same issue as my fonts were downloading with http://google.apis.something instead of https
Then I change to //google.apis.something and problem get solved.
To know what is not secure in you website use this link
Here's how I make develop a bookmarklet, get the input control value on web page ,
I write a javascript function, add the bookmarklet to my browser, load my test web page, is test the bookmarklet, the result is ok,
but then i test the bookmarklet on HTTPS website ,the bookmarklet can not get the input control value, why? the bookmarklet doesn't work on the HTTPS website?? Is there any way to make the bookmarklet work on https sites?
3 questions :
Why cant you get the input value : there is no reason why it does not work, almost certainly you are looking for the wrong id.
Do bookmarklets work on HTTPS : absolutely, HTTPS is not the problem
Can I make it work on https sites : if you provide a code sample, we might be able to tell you what is wrong with it.
I know this is a pretty old question, but since I came across it while searching for a similar problem, I will add my thoughts. If you wrote your own bookmarklet, this is most likely caused by your bookmarklet trying to access insecure content. If you have other static content that your bookmarklet references on your own server, such as HTML, JS, CSS, or image files, the browser will block that content from loading. This is because of the Same Origin Policy. This question is also discussed in this question. If you, or someone else viewing this is having the same problem, attempt to serve your content up as https or access only other content that is https.
1) I have an external iframe, and I wondered how Selenium or Firebug managed to overcome the Same Origin Policy to retrieve source code (or even execute some JavaScript)
As for Firebug, I think this has to do with cd(frames[0]) command. In Selenium, you can access content in the iframe with an xpath link, but I have no idea how it internally works.
2) Is it possible to use similar methods outside of a Firefox plugin?
3) What about IE? (or Chrome, but it is way less important)
Thank you :-)
The way that Selenium and Firebug get around it is buy running in the browser chrome rather than in the JavaScript sandbox. For example, calling *firefox calls the slightly less secure version of the browser, by less secure I mean it is running in more of the browser chrome than your average user, and can do the relevant calls.
Addons and Extensions to Firefox run in this context too so can access things in the same way.
I am developing web pages which reference external links/images/stylesheets etc. I have 1 page which loads fine in HTTPS, but then when I apply different external styles, some of the external styles cause a warning "Contains unauthenticated content"
Don't get me wrong, I understand WHAT this means, but I can't see any reference to any HTTP requests in View source, Firebug, Live HTTP Headers or in the View Page Info > Media window.
Does anyone have any tips or ideas of plug ins or tools which can identify exactly which items Firefox is not happy with?
Unfortunately this page is not live on the internet so I can't show it to you.
Thanks
You could, theoretically, use a proxy that just logs all requests and redirects them to the server. Of course, that is a very roundabout way of doing this :)
I have used Proxomitron and this showed the file!
Use FireFox to see the media assets. Click on the lock on the Status Bar when you are on a secure page, then Media.
Right now i'm building a firefox plugin that duplicates some functionality on my website. It takes in an email address and then returns information to the user. The easiest way to do this in the plugin is to use an Iframe and render that super simple form on my website. All of this works great, but to make the plugin really useful, i would like the plugin to have access to the information that the iframe renders, so it can use it in the current window that the user is in.
Is it possible to pass information back through an Iframe in this manner? I know there are quite a few domain access restrictions with Iframes, so any help or insight is appreciated!!
I've done this two ways.
If the iframe is on the same domain as the parent website, you can just, in javascript, access window.parent.
If it isn't, however...I've done a dirty trick. I'll share it here, though, as it may help.
We created a page on the other domain, which would call to window.parent.parent. We put that in a hidden iframe inside the iframed page, and send it a querystring argument or two. It's not pretty, but it gets around cross-domain scripting problems.
This basically means that you have this sort of thing:
admin.example.com
content.example.com - iframe
admin.example.com?contentid=350 - hidden iframe that makes a window.parent.parent call.
Is the point of this whole exercise functional testing of your website? If so, instead of your custom Firefox plugin, consider using Selenium to automate interactions with websites. It works with all major browsers and supports the inspection of page elements you are trying to do (using XPath). It also features a Firefox plugin called Selenium IDE that allows you to conveniently "record" your interactions with a website for automated playback later.